Features & Columns

Cyber Snoops

THE WATCHERS: New transparency reports from Google and Twitter show that many requests from law enforcement agencies for private emails and social media accounts go widely unknown.

PROTESTERS who shouted and shared their experiences on Facebook and Twitter as they shut down the Brooklyn Bridge on Oct. 1, 2011, have found that their social media posts can and will be used against them. Police arrested nearly 700 marchers after they spilled off the sidewalks and overtook the roadway, closing down traffic.

The case against arrested protester Malcolm Harris hinged on whether he heard the order to clear the roadway. Investigators believed his tweets would tell the tale. The district attorney subpoenaed more than three months worth of Harris' archived Tweets. Twitter, the ACLU and Harris fought the order, arguing, in part, that Harris' communications should be protected from unlawful searches, just as if Tweets were letters.

They aren't.

After a year of wrangling over the privacy protections afforded Internet communications, Harris was convicted of disorderly conduct. He had tweeted about the order for marchers to get off the bridge.

Twitter successfully fought off a subpoena issued by the San Francisco District Attorney's Office that targeted another set of protesters a year later, after an anti-war protest got messy in the financial district. The DA eventually dropped that subpoena in December, the same month Harris was convicted in New York.

These cases are rare, but only because the efforts by law enforcement agencies attempting to access private online communications. became public More often, they give no notice and leave no trace, so there is nothing to fight.

According to data released by Twitter and Google, U.S. law enforcement requests for emails and other communication are increasing, jumping 20 percent for Twitter over the second half of 2012.

"What we can learn from the numbers is that governments have caught onto the fact that our lives have moved online," says Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, a privacy advocacy group.

Indeed, users' calendars, location information embedded in photos, videos, letters and semi-private Facebook conversations are all recorded and stored. Every new service adopted and form filled out adds more information about individuals that can be accessed by authorities, and few rules guide the release or protection of the data.

In 2012, American law enforcement asked to access information in Google accounts 16,407 times. The vast majority of the those were simple subpoena requests. More than 1,494 requests for Twitter information came in during the same time.

Google's chief legal officer, David Drummond, recently wrote that every day his company receives "dozens of letters, faxes and emails from government agencies and courts around the world requesting access to our users' private account information."

The numbers in separate transparency reports released in January by Twitter and Google show a fraction of what's happening. That's because few companies release similar studies publicly revealing how often investigators ask to tap into their databases. Yahoo!, for example, does not.

A 2011 ACLU public-records request forced the U.S. Department of Justice to reveal that it makes thousands of such requests a year. But even if law enforcement checked out your instant messages, you might never know. The vast majority of requests for information are sealed, meaning information about the requests may never be released unless a case goes to trial.

About 20 percent of the requests for information received by Twitter were sealed. And only a quarter of those investigated were told that police wanted access to their data.

A recent study by U.S. Magistrate Judge Stephen Smith published in the Harvard Law and Policy Review suggests that there were potentially more than 30,000 sealed orders for electronic information issued in the United States in a single year.

"In fact, this volume of ... cases is greater than the combined yearly total of all antitrust, employment discrimination, environmental, copyright, patent, trademark, and securities cases filed in federal court," Smith wrote.

While requests for personal electronic information have increased, Congress and the courts are struggling to keep up. The laws and legal decisions defining what's private and protected are decades old.

No matter a person's privacy settings, police treat information stored online completely differently then they would if it was stored in your home. Emails on a public server for 180 days are considered abandoned and don't require a warrant for law enforcement to read them, under the 1986 law governing such things. That's the same year Microsoft went public, and the first PC virus began to spread. Under those rules, it's not even clear that an email in transit is protected at all. Paper mail is provided greater security than electronic communication.

"Our postal mail even in the hands of a government agency, the post office, requires a warrant from a judge to be opened," Dempsey says. But police can go through emails, theoretically, with a simple subpoena. The difference is key.

Warrants require judicial scrutiny. Investigators must show enough probable cause of crime to convince a judge that the search doesn't violate Fourth Amendment rights against unreasonable search and seizure. A subpoena does not require that kind of review. Other than new email, it's unclear exactly what is protected and what isn't.

Under a ruling from the 1970s, finding out what a person can say on the phone requires a warrant but data—including what numbers a person calls—doesn't. That's the decision applied most often to today's vast world of electronic communication.

"I think most people believe that they don't have to worry about government surveillance because they don't think they are doing anything wrong," says Susan Freiwald, a San Francisco State University cyberlaw professor. "But the ratio between the number of orders [for information] and the number of prosecutions is off, which means that there is just a ton of people who are being investigated and whose privacy is being violated for no good reason."

Companies including Google and Twitter say they require police to have a warrant for content information, such as instant messages. Yahoo! generally requires a formal legal request before the company discloses user information, says spokeswoman Lauren Armstrong.

"In the case of email and IM communications, we require a search warrant based on the requirements of the Fourth Amendment to the Constitution," she says.

But these deals are simply agreements between service providers and users or service providers and police. It's not consistent across all email, photo storage or document-transfer services. Also, there's no transparency, no review to guarantee that releases of content only occurred when a warrant was presented.

Secrecy only complicates the question of online privacy, Freiwald says. As long as users don't know that their emails, photos and documents have been rifled through, they can't complain.

"We haven't had the opportunity to answer these questions," she says.

But soon there may be a chance to review the 1986 law governing access to people's online lives. Patrick Leahy (D-Vt.) has said he will bring up the Electronic Communications Privacy Act for review sometime during the 2013 Congressional session.

Dempsey hopes it results in a law that treats virtual photos, letters and documents with the same respect as physical photos, letters and documents.

"It's the same information. It's equally sensitive," he says. "The fact that you have used this technology shouldn't mean you have less a right for a privacy."